b"         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       EPA Personnel Access and\n       Security System Would Benefit\n       from Improved Project\n       Management to Control Costs and\n       the Timeliness of Deliverables\n\n       Report No. 08-P-0271\n\n       September 22, 2008\n\x0cReport Contributors:             Rudolph M. Brevard\n                                 Cheryl Reid\n                                 Teresa Richardson\n\n\n\n\nAbbreviations\n\nCMM          Contracts Management Manual\nEPA          U.S. Environmental Protection Agency\nEPASS        EPA Personnel Access and Security System\nHSPD         Homeland Security Presidential Directive\nIT           Information Technology\nOARM         Office of Administration and Resources Management\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nSDLC         System Development Life Cycle\nSLCM         System Life Cycle Management\nSMD          Security Management Division\nSOW          Statement of Work\nWQX          Water Quality Exchange\n\x0c                                                                                                         08-P-0271\n                        U.S. Environmental Protection Agency                                     September 22, 2008\n                        Office of Inspector General\n\n\n                        At a Glance\n\n                                                                          Catalyst for Improving the Environment\n\n\nWhy We Did This Review           EPA Personnel Access and Security System\n                                 Would Benefit from Improved Project Management\nWe evaluated the cost            to Control Costs and the Timeliness of Deliverables\njustifications for major\nInformation Technology (IT)       What We Found\ninvestments in the U.S.\n                                 EPA has put into place processes to adequately justify costs of projects identified\nEnvironmental Protection\n                                 in its IT investments portfolio. However, the lack of key project management\nAgency (EPA) IT investment\n                                 practices prevents it from achieving many of the projected milestone and budget\nportfolio. We also evaluated\n                                 estimates. In particular, EPA did not require the EPA Personnel Access and\ncontracted work for IT\n                                 Security System (EPASS) contractor to follow Agency procedures for system\ninvestments to determine\n                                 development. EPASS did not have a Project Manager authorized to oversee the\nwhether the work met EPA\xe2\x80\x99s\n                                 contractor\xe2\x80\x99s work. EPA also paid for invoices that contained contractor labor\n(1) time and budget estimates,\n                                 overcharges. These system development procedures are designed to help\nand (2) intended needs.\n                                 management better predict and control project costs. Had EPA implemented\n                                 processes to mitigate many of the identified system development weaknesses, it\nBackground                       would have been better able to anticipate and possibly avoid most of the additional\n                                 $983,216 in costs for EPASS. Further, had EPA implemented formal review\nEPA received $346 million in     procedures for contractor invoices, it would have prevented paying an estimated\nsystem development and/or        $75,276 in over-billed contractor labor charges. We were unable to determine\nmaintenance funding for          whether the EPASS work would meet EPA\xe2\x80\x99s intended needs because the project is\nFiscal Year 2007. This           under further development.\nfunding includes IT\nacquisition costs for contract    What We Recommend\nservices to develop and/or\nmaintain IT systems.             Our recommendations to the Director, Security Management Division, Office of\n                                 Administration, Office of Administration and Resources Management, are to:\n                                     \xe2\x80\xa2\t Develop and maintain an EPASS System Management Plan that includes\n                                         the required Change Management and information security documents.\n                                     \xe2\x80\xa2\t Appoint a certified EPASS Project Manager with authority to oversee\n                                         contractor work and ensure compliance with EPA\xe2\x80\x99s System Life Cycle\n                                         Management guidance.\n                                     \xe2\x80\xa2\t Issue a memorandum to all EPASS Task Order Project Officers that\n                                         outlines and reinforces expectations for complying with EPA invoice\nFor further information,\ncontact our Office of                    reviewing guidance.\nCongressional and Public             \xe2\x80\xa2\t Follow up with the Contracting Officer to ensure EPA collects from the\nLiaison at (202) 566-2391.               contractor the amount EPA overpaid for billing rate errors in the\n                                         contractor\xe2\x80\x99s invoices.\nTo view the full report,\nclick on the following link:     The Agency indicated that it has taken actions to address many of our concerns.\nwww.epa.gov/oig/reports/2008/    However, we believe the actions taken do not adequately address our\n20080922-08-P-0271.pdf           recommendations. The Agency needs to take steps to put into place a structure to\n                                 ensure that the EPASS project progresses through the System Development Life\n                                 Cycle process as required by EPA guidance.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n                                       September 22, 2008\n\nMEMORANDUM\n\nSUBJECT:\t              EPA Personnel Access and Security System Would Benefit\n                       from Improved Project Management to Control Costs and the\n                       Timeliness of Deliverables\n                       Report No. 08-P-0271\n\n\nFROM:\t                 Patricia H. Hill\n                       Assistant Inspector General for Mission Systems\n\nTO:                    Wesley J. Carpenter\n                       Director, Security Management Division\n                       Office of Administration and Resources Management\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $391,452.\n\nAction Required\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective actions plan for agreed upon\nactions, including milestone dates. We have no objections to the further release of this report to\nthe public. This report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions, please contact me at (202) 566-0894 or\nhill.patricia@epa.gov; or Rudolph M. Brevard, Director, Information Resources Management\nAssessments, at (202) 566-0893 or brevard.rudy@epa.gov.\n\x0cEPA Personnel Access and Security System                                                                                    08-P-0271\nWould Benefit from Improved Project Management\nto Control Costs and the Timeliness of Deliverables\n\n\n\n\n                                    Table of Contents \n\n\nChapters\n   1      Introduction ...........................................................................................................      1     \n\n\n                  Purpose ..........................................................................................................    1         \n\n                  Background ....................................................................................................       1         \n\n                  Scope and Methodology.................................................................................                2         \n\n                  Noteworthy Achievements..............................................................................                 3         \n\n\n   2 \t EPASS Needs Improved Contract Management and \n\n       System Development Practices ..............................................................................                      4\n\n\n                  SMD Did Not Follow Agency Procedures for System Development .............                                             4\n\n                  SMD Did Not Require Contractor to Deliver Tasks by Due Dates..................                                        6\n\n                  SMD Approved Contractor Invoices Containing Overcharges .......................                                       7         \n\n                  Improved Project Management Oversight Needed. .......................................                                 8\n\n                  Recommendations .........................................................................................             8     \n\n                  Agency Comments and OIG Evaluation.........................................................                           9\n\n\n\n   Status of Recommendations and Potential Monetary Benefits.................................                                          11 \n\n\n\n\n Appendices\n   A     OIG Estimate of Efficiencies................................................................................... 12 \n\n\n   B     Agency Response.................................................................................................... 15 \n\n\n   C     Distribution ............................................................................................................... 20\n\n\x0c                                                                                 08-P-0271 \n\n\n\n\n\n                               Chapter 1\n                                Introduction\n\nPurpose\n          We sought to determine whether the U.S. Environmental Protection Agency\n          (EPA) justified the Information Technology (IT) investments outlined in its\n          Capital Investment Plan. We also sought to determine (1) what contract work was\n          completed, (2) was it completed within time and budget requirements, and (3) did\n          the work meet EPA\xe2\x80\x99s intended needs.\n\nBackground\n          During Fiscal Year 2007, EPA received $346 million to support acquiring and\n          maintaining its IT systems. This funding included costs to procure contract\n          services to develop and maintain EPA systems.\n\n          EPA offices document the system acquisition strategies and costs in the business\n          cases that support their systems. EPA\xe2\x80\x99s Chief Information Officer reviews this\n          information for major IT investments through the Agency\xe2\x80\x99s Capital Planning and\n          Investment Control process. This process is a Federal mandate designed to assure\n          that investments in IT resources achieve high value outcomes at acceptable costs.\n          Upon funding of the proposed business cases by the Office of Management and\n          Budget (OMB), EPA offices commence system acquisition plans as detailed in\n          the business cases.\n\n          For IT investments reviewed during this audit, EPA offices used contract services\n          to acquire the systems. As such, the Contracts Management Manual (CMM) and\n          Interim Agency System Life Cycle Management (SLCM) procedures outline\n          EPA\xe2\x80\x99s contract management and system development requirements. In particular:\n\n             \xe2\x80\xa2\t The CMM requires the Contracting Officer to (1) verify usage of the\n                correct contract billing rates and (2) ensure billing rate changes are\n                correctly applied at the end of each contract period. The CMM also\n                requires the Contracting Officer to verify other conditions that may result\n                in re-calculation or adjustment of billing rates. Further, the CMM requires\n                offices to perform Government surveillance of the contract. The Agency\n                or appointee should review the receipt of services to ensure it is getting\n                what it requested and needed. Contracted services should also be\n                monitored for compliance with established timeframes.\n\n             \xe2\x80\xa2\t The SLCM procedures require offices to complete the system definition\n                phase prior to starting the System Development or Acquisition Phase.\n\n\n                                          1\n\n\x0c                                                                                  08-P-0271 \n\n\n\n                Most importantly, the procedures require offices to define the systems\xe2\x80\x99\n                functional, technical, and data requirements.\n\xc2\xa0\nScope and Methodology\n         We performed this audit from February through October 2007 at EPA\n         Headquarters in Washington, DC, in accordance with generally accepted\n         government auditing standards. Those standards require that we plan and perform\n         the audit to obtain sufficient and appropriate evidence to provide a reasonable\n         basis for our findings and conclusions based on the audit objectives. We believe\n         the evidence obtained provides a reasonable basis for our findings and\n         conclusions.\n\n         We evaluated EPA program offices\xe2\x80\x99 management control processes for\n         compliance with Agency contracting and systems development requirements. We\n         reviewed contract documents related to the systems reviewed under this audit.\n         We interviewed EPA staff responsible for contractor work and management. We\n         also reviewed contract invoices and schedules of deliverables.\n\n         We judgmentally selected two EPA systems that represented 20 percent of EPA\xe2\x80\x99s\n         Fiscal Year 2007 IT investment portfolio. We did not include financial and\n         infrastructure IT investments, as we review these systems yearly during the\n         Agency\xe2\x80\x99s financial statement audit or these are included in the Office of Inspector\n         General\xe2\x80\x99s (OIG\xe2\x80\x99s) annual audit plan. We reviewed the following systems:\n\n            \xe2\x80\xa2\t Water Quality Exchange (WQX) System, within the Office of Water.\n               WQX provides a national picture of the surface and groundwater quality\n               of the United States. WQX is the result of the redesigned STOrage and\n               RETrieval water quality system. Under the Clean Water Act, EPA is\n               responsible for monitoring the ambient surface and ground waters of the\n               Nation. The Office of Wetlands, Oceans and Watersheds within the\n               Office of Water is responsible for developing WQX.\n\n            \xe2\x80\xa2\t EPA Personnel Access and Security System (EPASS), within the\n               Office of Administration and Resources Management (OARM).\n               EPASS is the Agency\xe2\x80\x99s implementation of Homeland Security\n               Presidential Directive-12 (HSPD-12), Policy for a Common Identification\n               Standard for Federal Employees and Contractors. This standard was\n               signed by the President of the United States on August 27, 2004.\n               Provisions 4 and 5 of the standard describe the timeline for federal\n               departments and agencies to implement the standard. Implementation of\n               the standard is to include both physical access to Agency facilities as well\n               as electronic or logical access to Agency IT systems. The Security\n               Management Division (SMD) within OARM is responsible for developing\n               EPASS.\n\n\n\n                                          2\n\n\x0c                                                                                08-P-0271 \n\n\n\n         We did not find notable weaknesses in regards to WQX acquisition and\n         subsequently informed the Office of Water of our findings. During preliminary\n         research, we also did not find notable weaknesses with EPA processes that\n         defined costs contained in Capital Planning and Investment Control business\n         cases and did not pursue this area during field work. We were unable to\n         determine whether the work would meet EPA\xe2\x80\x99s intended needs because the\n         EPASS project is under further development.\n\n         We had no prior report recommendations to follow up on during this audit.\n\nNoteworthy Achievements\n         EPA\xe2\x80\x99s management stated it completed many key milestones for the EPASS\n         project. EPASS received the authority to operate on January 25, 2007, and\n         implemented a physical access control system at EPA's One Potomac Yard in\n         Alexandria, Virginia. EPA issued its first smart card in October 2006, and EPA\n         has and continues to issue smart cards to employees and non-Federal workers\n         throughout the Agency.\n\n\n\n\n                                         3\n\n\x0c                                                                                08-P-0271 \n\n\n\n\n\n                              Chapter 2\n  EPASS Needs Improved Contract Management and\n          System Development Practices\n\n         Our review disclosed that EPA did not require the EPASS development contractor\n         to follow Agency system development procedures. This hindered management\xe2\x80\x99s\n         ability to control project costs. Management officials stated they were unable to\n         follow Agency procedures because of evolving requirements. However, we found\n         EPA did not use a change management process to guide them in decisions for\n         accepting risks resulting from the effects of these changing requirements.\n         Although a qualified Project Manager was on the EPASS team, the Project\n         Manager was not authorized to oversee the contractor\xe2\x80\x99s work or was not\n         positioned within the organization to influence major decisions made related to\n         the development of EPASS. We further disclosed that EPA paid additional\n         charges for invoices that contained errors in contractor labor charges.\n         Management\xe2\x80\x99s informal processes for reviewing invoices for accuracy did not\n         identify discrepancies before approval and payment. Had EPA implemented\n         processes to mitigate system development weaknesses, it would have been better\n         able to anticipate the additional $983,216 in costs for EPASS. Further, had EPA\n         implemented formal review procedures for contractor invoices, it would have\n         prevented paying an estimated $75,276 in billed contractor labor charges.\n\nSMD Did Not Follow Agency Procedures for System Development\n\n         SMD\xe2\x80\x99s management of the EPASS project did not conform to key system\n         development requirements required by EPA SLCM guidance. In particular, SMD\n         proceeded to develop EPASS without (1) putting in place a structure to control\n         undefined EPASS requirements as they are known, and (2) appointing a qualified\n         Project Manager who has authority to oversee all EPASS development efforts.\n\n         EPASS Needs Clearly Defined Requirements and Implemented\n         Change Management Practices to Control Spending\n\n         SMD did not complete the EPASS Definition Phase before entering into a\n         contract to develop the system, nor did the contractor complete the Definition\n         Phase once SMD modified the Statement of Work. The Definition Phase defines\n         the system\xe2\x80\x99s functional, system, and data requirements and System Owners must\n         complete this phase as required by EPA SLCM guidance. The Definition Phase is\n         important because it assists management to ensure the intended system will\n         support Agency requirements and control project costs. Management stated they\n         could not complete the Definition Phase requirements because of the evolving,\n         changing, and increasing program requirements imposed by lead Federal\n\n\n                                         4\n\n\x0c                                                                        08-P-0271 \n\n\n\nagencies. Therefore, SMD issued a Statement of Work (SOW) that did not have\ndetailed tasks that defined EPASS\xe2\x80\x99 system requirements. SMD then modified this\nSOW to include detailed tasks, which the contractor prepared. However, these\ndetailed tasks did not require the contractor to perform a Definition Phase.\n\nSMD had not put into place practices to validate newly defined HSPD-12\nrequirements and formally introduce the new requirements into the EPASS\nsystem development process. A change management process is a key\nmanagement control used to record management decisions regarding evolving\nsystem changes. During our discussions with management about the change\nmanagement processes, they seemed unaware of EPA requirements. After audit\nfield work, management provided us the OARM/Office of Administration\nSoftware Development Software Configuration Management Plan in response to\nour request for their change management procedures. This plan outlines the\ncontractor procedures for making system changes to EPASS, upon receipt of a\nsoftware change request/software error notice via a trouble ticket system.\nHowever, management did not provide evidence of the processes it uses to\nevaluate and approve EPASS system changes from evolving HSPD-12\nrequirements. Further, the plan (1) is a proprietary document used internally by\nthe contractor, (2) was not related to EPA-specific SLCM system development\nrequirements, and (3) was not formally adopted by EPA management. Also, EPA\nmanagement had not provided proof it implemented the practices outlined in the\nplan.\n\nWe found that SMD had not developed a System Management Plan, as required\nby SLCM guidance. This plan is the primary managerial document and serves as\na portfolio of required documents used by System Managers to control, assess,\nand document the system throughout the SLC. EPA uses this plan as the principal\ntool for organizing and managing system project/program management\ninformation throughout the system life cycle.\n\nSince SMD had not fully defined EPASS\xe2\x80\x99 requirements or implemented a process\nto control unexpected system requirements, further EPASS system development\nefforts are at risk. SMD needs to develop a full picture of EPASS\xe2\x80\x99 end state.\nWithout this full picture, SMD cannot measure the contractor\xe2\x80\x99s system\ndevelopment work to ensure EPASS will meet EPA\xe2\x80\x99s desired needs. Had EPA\nimplemented processes to mitigate system development weaknesses, it would\nhave been better able to anticipate the additional $983,216 in costs for EPASS.\nThis upward trend of unanticipated costs has potential to continue because SMD\nprojects that EPASS development and implementation will continue through\n2015.\n\nEPASS Needs a Certified Project Manager\n\nEPASS needs a Project Manager with the skills, qualifications, and authority to\noversee a High-Risk system development project. SMD assigned a Project\n\n\n\n                                 5\n\n\x0c                                                                                  08-P-0271 \n\n\n\n          Officer to oversee the contractors developing EPASS. However, the Project\n          Officer\xe2\x80\x99s main responsibility was to perform contract management functions and\n          the Project Officer does not possess the qualifications or skills needed to manage\n          system development activities for a high-risk project like EPASS. The EPASS\n          Project Officer was not familiar with the Agency\xe2\x80\x99s SLCM requirements and, as\n          such, was not familiar with system development techniques or processes to reduce\n          the risk to the Agency for this high-risk project.\n\n          There was a qualified Project Manager on the EPASS development team who\n          indicated some involvement with system development and system design;\n          however, the Project Manager was not given responsibility for monitoring the\n          contractor's progress, work, and costs. The Project Officer did not want the\n          assigned Project Manager to have authority or responsibility for (1) reviewing the\n          contractor's monthly status reports, (2) monitoring work, and (3) reviewing\n          invoices, because the Project Officer stated they would not be comfortable with\n          the Project Manager having all of these responsibilities. The Project Officer\n          performs some of these duties, but does not have the required training and\n          experience to be appointed as a Project Manager, and does not have the time to\n          get the certification. Therefore, management listed the Project Manager on the IT\n          business case submitted to OMB for funding even though the Project Manager\n          was not fulfilling the role as required by OMB and EPA.\n\n          EPA's SLCM procedures require assigning a Project Manager who is responsible\n          for managing the entire project through its life cycle. These responsibilities\n          include managing the project\xe2\x80\x99s compliance with EPA SLCM policy and\n          procedures, funding and resources, and system development processes.\n          According to OMB, skilled project managers are critical in managing contractor\n          activities to ensure they achieve intended outcomes. As such, it appears that\n          management placed the certified Project Manager on the project team to receive\n          funding for EPASS and not to oversee the system development processes as\n          intended by OMB.\n\n          After audit field work, we learned that SMD issued a new SOW, with potential\n          funding of $9.6 million over the life of the contract. This new SOW will be used\n          to continue EPASS system development and deployment. SMD officials stated\n          that system development costs are about 10 percent of the new SOW. If SMD\n          uses a system development approach as specified in EPA guidance, we estimate\n          EPA could better anticipate $902,530 in unplanned project costs. See Appendix\n          A for details.\n\nSMD Did Not Require Contractor to Deliver Tasks by Due Dates\n          Tasks listed in the modified EPASS SOW were either late or lacked information\n          on which to determine when the contractor was required to complete the assigned\n          tasks. EPA\xe2\x80\x99s CMM requires offices to perform government surveillance of the\n          contract. The CMM requires the respective office to review the receipt of\n\n\n                                           6\n\n\x0c                                                                                    08-P-0271 \n\n\n\n         services to ensure it is getting what it requested and needed. The CMM also\n         requires that contracted services should also be monitored for compliance with\n         established timeframes.\n\n         SMD had the contractor prepare a detailed list of tasks with the dates the tasks\n         were due. However, our review of the tasks and milestones revealed that\n         59 percent (75 of 127) of the tasks were delivered at least 1 month or more late.\n         Also, 27 of the 127 tasks either did not have a due date or a date delivered.\n         Management had not responded to our inquiries regarding these late or undated\n         deliverables.\n\n         The Government Accountability Office recognizes that mature and effective\n         management of IT investments can vastly improve government performance and\n         accountability. Without good management, such investments can result in\n         wasteful spending and lost opportunities for improving delivery of services. We\n         feel this lack of oversight over deliverables, coupled with the absence of basic\n         system development practices as previously discussed, contributed to the\n         unpredicted overspending on the development of EPASS.\n\nSMD Approved Contractor Invoices Containing Overcharges\n         From November 2005 through July 2007, SMD did not have formal processes for\n         reviewing invoices and did not identify incorrect labor charges on at least 10\n         monthly invoices paid by EPA. EPA's CMM states the Contracting Officer\n         should periodically verify usage of the correct rates. This includes reviewing\n         rates that change at the end of each contract period and verifying rates that are re-\n         calculated or adjusted for any other reasons.\n\n         We learned that SMD subsequently reviewed all previous contractor invoices,\n         identified billing discrepancies, and notified the Contracting Officer of the\n         discrepancy. The Contracting Officer, in turn, issued a written request to the\n         contractor regarding this matter. Based on our calculations, EPA paid an\n         estimated $75,276 in incorrect contractor labor overcharges. See Appendix A for\n         details.\n\n         We further learned that after field work, the new EPASS Project Officer\n         appointed five Task Order Project Officers and made them responsible for\n         reviewing contractor invoices. Although SMD did not document this new internal\n         review process, this informal practice resulted in SMD disapproving an invoice\n         due to questions over billing.\n\n         Having documented procedures is the cornerstone of an effective internal control\n         environment. Formal procedures help to ensure that personnel are aware of their\n         responsibilities and understand the tasks that management intends to be\n         accomplished. Because SMD uses a distributed structure for reviewing invoices,\n\n\n\n\n                                           7\n\n\x0c                                                                                08-P-0271 \n\n\n\n         it is imperative that SMD document these procedures to ensure processes are\n         followed during day-to-day operations and personnel turnover.\n\nImproved Project Management Oversight Needed\n         In discussions with OARM management regarding these findings, management\n         indicated that:\n\n            \xe2\x80\xa2\t Although EPASS had not been able to comply with EPA\xe2\x80\x99s SLCM policy\n               for the definition phase, it has complied for management of other key\n               components, such as architecture planning, investment management, and\n               security planning.\n\n            \xe2\x80\xa2\t EPASS did, and continues to have, a Project Officer authorized to oversee\n               the contractor\xe2\x80\x99s work.\n\n            \xe2\x80\xa2\t OIG should focus on cost benefits of project accomplishments rather than\n               total expenses, among these, issuing 7,000 smart cards to EPA employees\n               and non-federal workers.\n\n         We recognize that developing an information system during a period where\n         federal requirements continually evolve is a significant undertaking for SMD and\n         its management. We further recognize that EPA is on the leading edge of federal\n         agencies that have issued smart cards to its civilian employees and contractors.\n         Although innovation involves taking risks, we feel that it is incumbent upon\n         management to implement practices for innovation to mitigate risks to an\n         acceptable level.\n\n         Developing EPASS is a high-risk undertaking. We feel that SMD chose to follow\n         an ambitious implementation plan, which resulted in SMD spending the total\n         project funding within 27 months. Our concern is that the Federal HSPD-12\n         requirements are now defined and SMD has yet to establish the formal processes\n         needed to minimize the risk to EPA and guide them in the continued development\n         of EPASS.\n\nRecommendations\n\n         We recommend that the Director, Security Management Division, Office of\n         Administration, Office of Administration and Resources Management:\n\n         2-1 \t Develop and maintain an EPASS System Management Plan. The plan\n               should include all documentation that supports management\xe2\x80\x99s adherence to\n               all controls gates and decision points related to ensuring EPASS compliance\n               with prescribed EPA SLCM guidance. The plan should also include all\n               required change management and required information security documents.\n\n\n\n                                         8\n\n\x0c                                                                                 08-P-0271 \n\n\n\n\n\n         2-2 \t Appoint a certified EPASS Project Manager as required by EPA SLCM.\n               The appointment memorandum should also include specific language to\n               reinforce expectations for that person to manage the EPASS project through\n               its life cycle and ensure compliance with EPA\xe2\x80\x99s SLCM guidance.\n\n         2-3 \t Issue a memorandum to all EPASS Task Order Project Officers that outlines\n                and reinforces expectations for complying with EPA invoice-reviewing\n                guidance.\n\n         2-4 \t Follow up with the Contracting Officer to ensure EPA collects from the\n               contractor the amount EPA overpaid for billing rate errors in the\n               contractor\xe2\x80\x99s invoices.\n\nAgency Comments and OIG Evaluation\n         The Agency indicated that it has taken actions to address many of our concerns.\n         However, we believe the actions taken do not adequately address our concerns.\n         The Agency\xe2\x80\x99s complete response is at Appendix B.\n\n         In general, EPA disagrees with the report\xe2\x80\x99s findings. EPA indicated:\n\n            \xe2\x80\xa2\t It was not able to follow prescribed EPA system development guidance\n               because the requirements for the EPASS project were unknown at the\n               initiation of the project.\n\n            \xe2\x80\xa2\t A qualified Project Officer and Project Manager were involved in the\n               EPASS project from its inception. The Project Officer had overall project\n               responsibility while the Project Manager was to manage the IT aspects,\n               including the contractor\xe2\x80\x99s performance.\n\n            \xe2\x80\xa2\t There are no real cost overruns, savings to identify, or misspent monies.\n\n            \xe2\x80\xa2\t EPASS invoices are reviewed and paid following the guidelines set forth\n               in Chapter 11 of the Contracts Management Manual, and Chapter 3 of the\n               Recertification for Contracting Officer Representative Manual.\n\n         We found that although the EPASS requirements were not know at the initiation\n         of the project, EPA had not taken steps to put in place processes to control the\n         cost of the EPASS project. As such, EPA had not developed a System\n         Management Plan to manage the EPASS project and document key decisions and\n         control points completed as required by EPA guidance. Furthermore, OARM had\n         not implemented a Change Management Process to ensure that as new project\n         requirements occurred, there was a system in place to introduce these\n         requirements in the system development process.\n\n\n\n                                         9\n\n\x0c                                                                        08-P-0271 \n\n\n\nOur research and interviews concluded that although the EPASS project had a\ncertified Project Manager listed on the project, the employee was not responsible\nfor ensuring the project progressed through the System Development Life Cycle\n(SDLC) as required by EPA and OMB guidance. We found that the Project\nManager lacked authority to guide the EPASS project and was not receiving cost\ninformation necessary to monitor the contractor\xe2\x80\x99s performance. We believe that\nhad OARM assigned a Project Manager with authority to guide the EPASS\nproject, OARM would have had a better handle over the unanticipated additional\ncosts for EPASS. Additionally, OARM would have been able to put into place\nprocesses that would have minimized the risk to EPA when undertaking a high-\nrisk project with evolving requirements. Furthermore, our research and\ninterviews revealed that the assigned EPASS Project Officer lacks the knowledge\nand experience necessary to provide system development guidance on a project of\nthis magnitude. Therefore, we believe that in order for EPASS to successfully\nprogress through the required SDLC stages, OARM should assign a certified\nProject Manager with authority to guide the project.\n\nWith respect to OARM\xe2\x80\x99s invoice payment processes, although OARM assigned\nfive Task Order Project Officers responsible for reviewing the contractor\ninvoices, our subsequent interviews revealed that some personnel had not\nreceived the invoices to review until August 2008. Furthermore, even though\nOARM cites that it follows invoice review procedures outlined in EPA\xe2\x80\x99s Contract\nManagement Manual, we found that OARM had not issued guidance to the five\nTask Order Project Officers outlining their specific responsibilities for\ndocumenting invoice reviews. The documentation of invoice reviews is required\nby EPA guidance, and because OARM has a distributed process for reviewing\ninvoices, it is incumbent upon management to set the standards for this process to\nensure consistency.\n\nOARM also provided a status of its actions to address the report\xe2\x80\x99s\nrecommendations. OARM indicated that it has taken sufficient action to address\nthe report recommendations. However, for the reasons cited above, we believe\nOARM has not taken action to address the report\xe2\x80\x99s recommendations. OARM\nshould take steps to put in place a structure to ensure that the EPASS project\nprogresses through the SDLC process as required by EPA guidance.\n\n\n\n\n                                10 \n\n\x0c                                                                                                                                           08-P-0271\n\n\n\n                                  Status of Recommendations and\n                                    Potential Monetary Benefits\n\n                                                                                                                                 POTENTIAL MONETARY\n                                                     RECOMMENDATIONS                                                              BENEFITS (in $000s)\n\n                                                                                                                     Planned\n    Rec.    Page                                                                                                    Completion   Claimed    Agreed To\n    No.      No.                          Subject                          Status1         Action Official             Date      Amount      Amount\n\n    2-1       8     Develop and maintain an EPASS System                     U            Director, Security                      $902.5\n                    Management Plan. The plan should include all                        Management Division,\n                    documentation that supports management\xe2\x80\x99s                          Office of Administration,\n                    adherence to all controls gates and decision points              Office of Administration and\n                    related to ensuring EPASS compliance with                         Resources Management\n                    prescribed EPA SLCM guidance. The plan should\n                    also include all required change management and\n                    required information security documents.\n\n    2-2       9     Appoint a certified EPASS Project Manager as             U            Director, Security\n                    required by EPA SLCM. The appointment                               Management Division,\n                    memorandum should also include specific                           Office of Administration,\n                    language to reinforce expectations for that person               Office of Administration and\n                    to manage the EPASS project through its life cycle                Resources Management\n                    and ensure compliance with EPA\xe2\x80\x99s SLCM\n                    guidance.\n\n\n    2-3       9     Issue a memorandum to all EPASS Task Order               U            Director, Security\n                    Officers that outlines and reinforces expectations                  Management Division,\n                    for complying with EPA invoice-reviewing                          Office of Administration,\n                    guidance.                                                        Office of Administration and\n                                                                                      Resources Management\n\n    2-4       9     Follow up with the Contracting Officer to ensure         U            Director, Security                      $75.2\n                    EPA collects from the contractor the amount EPA                     Management Division,\n                    overpaid for billing rate errors in the contractor\xe2\x80\x99s              Office of Administration,\n                    invoices.                                                        Office of Administration and\n                                                                                      Resources Management\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                 11 \n\n\x0c                                                                                         08-P-0271 \n\n\n\n                                                                                    Appendix A\n\n                        OIG Estimate of Efficiencies\nI. Estimated Efficiencies for Recommendation 2-1\nThe condition found involves:\n\n   Reduction in Outlays\n   De-obligation of Funds\n   Avoidance of Unnecessary Expenditures\n   Increase in Revenue (e.g., Uncollected Fees)\n X Other\n\nBased on SMD\xe2\x80\x99s anticipated costs for the current SOW, the OIG estimates SMD spent\napproximately $1,321,946 more than anticipated for the first 2 years. SMD has prepared a new\nSOW to continue system development and deployment. It estimates 10 percent of the new SOW\nwill be for system development. If SMD follows OIG recommendations, the estimated efficiencies\nwill total $902,530 for the new SOW\xe2\x80\x99s base year and 4 option years as described below.\n\nEstimate involves efficiencies/savings related to:\n\n   a one-time event\n X the current and following year for operations of a continuing nature\n   the next 5 years for reductions in a long-term program or program terminations\n\nCalculation of Gross Savings\n\nThe OIG estimates that SMD could avoid project costs escalating over budget on the new\nEPASS contract by an amount similar to what was underestimated on the EPASS contract that\nended in January 2008. Management indicated that approximately 10 percent of the new EPASS\n$16,936,737 contract is related to system development efforts by the contractor. The OIG\xe2\x80\x99s\ncalculation of Gross Savings is as follows:\n\nCurrent SOW\n\nThe first calculation relates to the base period and option period 1. Each period is 12 months,\nbeginning in November and ending in October.\n\nAmount Budgeted for Base Period                                           $ 765,863\nAmount Budget for Option Period 1                                         + 622,037\nTotal Budgeted for Base Period and Option Period 1                        $ 1,387,900\n\nPaid Invoices through July 2007 (21 invoices)                             $ 2,371,116\nTotal of Budget Base Period and Option Period 1                           - 1,387,900\nAmount Underestimated through July 2007                                   $ 983,216\n\n\n                                                12 \n\n\x0c                                                                                      08-P-0271 \n\n\n\nThe following calculation estimates the cost of invoices not yet approved (August-October 2007)\nfor the current period. We did this to project an amount for a full 12 month period. We\ncalculated a monthly estimate by averaging the total amount of all invoices received.\n\nPaid Invoices through July 2007 (21 invoices)                          $ 2,371,116\nAverage amount per invoice ($2,371,116 / 21 invoices = $112,910)\nEstimate for 3 Months of Invoices (August-October 2007)\n ($112,910 X 3 months)                                                 + 338,730\nTotal Estimated Project Costs                                          $ 2,709,846\n\nTotal Amount Unanticipated ($2,709,846 - $1,387,900)                   $ 1,321,946\n\nPercentage of Unanticipated Costs on Current SOW\n ($1,321,946 / $1,387,900)                                                    95%\n\nNew SOW\n\nAmount Budgeted for New SOW                                             $9,611,890\n\nPercentage of SOW Identified as System Development                            10%\n\nAmount Attributed to System Development ($9,611,890 X 10%)              $ 961,189\n\nPercentage of Historical Unanticipated System Development Costs                95%\n\nEstimated Unanticipated Costs if\n Recommendation 2-1 is Not Implemented ($961,189 X 95%)                  $ 913,130\n\n(a) Gross Estimates of Efficiencies                                      $ 913,130\n\n\nCalculation of Cost to Implement Recommendation 2-1\n\nThe OIG estimates it will take SMD 10 days to comment on the OIG\xe2\x80\x99s estimate; 5 days to draft\nthe technical direction memorandum; and 2 days for the Contracting Officer to review the\ntechnical direction memorandum and issue it to the contractor. The cost to implement is\nestimated as follows:\n\nEstimated 7 days by GS-15 at $700 per day                                            $ 4,900\nEstimated 7 days by GS-14 at $600 per day                                            + 4,200\nEstimated 3 days by GS-13 at $500 per day                                            + 1,500\n(b) Total estimated costs to implement                                               $10,600\n\nEstimate of Net Efficiencies/Savings\n\n(a \xe2\x80\x93 b) or ($913,130 - $10,600)                                                  $ 902,530\n\n\n\n                                              13 \n\n\x0c                                                                                       08-P-0271 \n\n\n\nII. Estimated Efficiencies for Recommendation 2-5\nThe condition found involves:\n   Reduction in Outlays\n   De-obligation of Funds\n   Avoidance of Unnecessary Expenditures\n   Increase in Revenue (e.g., Uncollected Fees)\n X Other\nManagement approved contractor invoices that contained overcharges. The contractor\novercharged on at least 10 monthly invoices for incorrect labor rates or incorrect labor\ncategories. As a result, EPA overpaid an estimated $75,275.66 in contractor labor charges.\n\nEstimate involves efficiencies/savings related to:\n____ a one-time event\n X the current and following year for operations of a continuing nature\n____ the next 5 years for reductions in a long-term program or program terminations\n\nCalculation of Gross Savings\nSMD identified 10 invoices in which the contractor over-billed EPA for incorrect labor charges.\nThe calculation of gross savings is as follows:\nInvoice Month                           Amount Overcharged\nSeptember 2006                             $ 9,959.08\nOctober 2006                                11,504.21\nNovember 2006                                4,232.42\nJanuary 2007                                 5,548.55\nFebruary 2007                                3,369.80\nMarch 2007                                   4,764.20\nApril 2007                                   3,718.40\nMay 2007                                     5,112.00\nJune 2007                                   10,663.05\nJuly 2007                                   16,403.95\n(a) Gross Estimate of Efficiencies         $75,275.66\n\nCalculation of Cost to Implement Recommendation 2-5\nThe OIG estimates it will take SMD 1 hour to follow up with the Contract Officer to ensure\nEPA has received payment from the contractor for overcharges.\nEstimated .0125 day by GS-15 at $700 per day                                   87.50\n(b) Total estimated costs to implement                                    $    87.50\n\nEstimate of Net Efficiencies/Savings\n(a \xe2\x80\x93 b) or ($75,275.66 - $87.50)                                          $75,188.16\n\n\n                                                14 \n\n\x0c                                                                                          08-P-0271 \n\n\n\n                                                                                      Appendix B\n\n                                 Agency Response\n\n\n                                          August 5, 2008\n\nMEMORANDUM\n\nSUBJECT:       OARM Response to Draft Audit Report:\n               EPA Personnel Access and Security System Would Benefit\n               From Improved Project Management to Control Costs and the Timeliness\n               of Deliverables\n               Assignment No. 2007-000557\n\nFROM:          Wesley J. Carpenter, Director /s/\n               Security Management Division\n\nTO:            Rudolph M. Brevard, Director\n               Information Resources Management Assessments\n\n       OARM appreciates the opportunity to comment on the latest version (June 24, 2008) of\nthe Draft OIG Audit Report of EPASS, Assignment Number 2007-000557. We believe that\nmost of our comments pertaining to the earlier drafts are still valid; therefore, we have attached\nand are resubmitting them for inclusion in the final report.\n\n        We thank you again for your consideration and hope that we can reach a satisfactory\nresolution of these issues.\n\n\nAttachment\n\ncc:    \tRenee Page\n       Dennis Bushta\n       Cheryl Reid\n\n\n\n\n                                                15 \n\n\x0c                                                                                                 08-P-0271 \n\n\n\n                                          OARM\xe2\x80\x99S COMMENTS \n\n\nOur comments are organized by the four themes highlighted in the latest version (June 24, 2008) of the\nOIG discussion draft audit report on EPASS. Per the OIG\xe2\x80\x99s request, ancillary comments have been\nadded to each theme to better depict and summarize previous comments submitted by OARM during its\nreview of the three previous draft reports.\n\n1. \t OIG Theme No. 1: OARM did not follow EPA\xe2\x80\x99s interim System Life Cycle Management (SLCM)\n     procedures, which require proposed IT systems be defined in terms of functional, technical,\n     and data requirements prior to project initiation, development, or acquisition.\n\n   OARM\xe2\x80\x99s Comments: In order to maximize the effectiveness of the SLMC in developing new IT\n   applications, a clear knowledge of functional, technical and data requirements is essential prior to\n   project initiation, development, or acquisition. Unfortunately, such complete knowledge was not\n   available by the time the EPASS project had to be initiated. If EPA had delayed initiation until all up-\n   front information had been available, the Agency would not have been able to meet federally\n   mandated implementation deadlines.\n\n   \xe2\x80\xa2\t    The IG report does not mention that the EPASS project was mandated by the White House and\n         was the first of its kind ever undertaken by the Federal government, EPA, or the private sector.\n         Because of HSPD-12\xe2\x80\x99s stringent implementation deadlines, Agency activities had to be initiated\n         amid many uncertainties and unknowns, changing requirements, and equipment and technology\n         use restrictions.\n\n   \xe2\x80\xa2\t    At the time of contract award, final HSPD-12 PIV standards had not been issued nor had the\n         relevant equipment or software been properly tested and approved by NIST and GSA for\n         inclusion on the government\xe2\x80\x99s approved procurement list (APL).\n\n   \xe2\x80\xa2\t    Over the life of the project, additional or supplemental OMB policy and NIST technical documents\n         have been published adding either new requirements or amending those already in place. In fact,\n         between March 2006 and August 2008, a total of 11 technical documents impacting HSPD-12\n         configuration and specifications were issued creating additional work for all agencies.\n\n\n    Ancillary Comments OIG Theme No. 1:\n    \xe2\x80\xa2\t In order to accurately portray EPASS, the report should provide a fair and equitable description of\n       why the program was implemented, what the program is designed to accomplish, its mandates,\n       timeframes, and the circumstances surrounding implementation. Insert a background statement\n       on EPASS in the report\xe2\x80\x99s introduction to provide the necessary framework to completely\n       understand the full complexity of the program.\n\n    \xe2\x80\xa2\t   The report states that EPASS lacked a detailed statement of work (SOW). The reason the SOW\n         did not contain detailed tasks had nothing to do with the allegation that SMD did not follow SLCM\n         procedures. In the case of a project where little is known about specific requirements, it is not\n         uncommon for the SOW to be void of detailed tasks and deliverables. The original EPASS\n         contract recognized this and, upon award of the first option year, the contract was amended to\n         include detailed tasks and deliverables.\n    \xe2\x80\xa2\t   The OIG report states that 59 percent (75 of 127) of EPASS\xe2\x80\x99 tasks were either late or lacked\n         information on due dates. It also states the SOW didn\xe2\x80\x99t contain specific tasks. These are\n         statements are conflicting; they need to be reconciled prior to the next iteration of the report.\n\n    \xe2\x80\xa2\t   OARM strongly recommends that the OIG interview the EPASS CO to better understand the\n         contracting process and how the EPASS contract was advertised and awarded. This request has\n         continually been ignored.\n\n\n\n\n                                                    16 \n\n\x0c                                                                                                     08-P-0271 \n\n\n\n2. \t OIG Theme No. 2: OARM did not assign an EPASS Project Manager who has the certification\n     and authority to oversee contractor performance and compliance with EPA\xe2\x80\x99s interim SLCM.\n\n   OARM\xe2\x80\x99s Comments: A qualified Project Officer and Project Manager (IT) were involved in this\n   project from inception. The Project Officer had overall project responsibility while the Project\n   Manager was to manage the IT aspects, including the contractor\xe2\x80\x99s performance.\n\n   \xe2\x80\xa2\t   Since inception of this project in late 2005, all monthly reports and invoices were shared with the\n        PM.\n\n   \xe2\x80\xa2\t   The PM played a key role in monitoring the ongoing performance of the contractor as well as\n        providing oversight and direction for the technical aspects of the contract.\n\n   Ancillary Comments OIG Theme No. 2:\n   \xe2\x80\xa2\t This conclusion is not supported by the facts. No such restriction was ever placed on the PM\n      (IT).\n\n   \xe2\x80\xa2\t   OARM has strongly recommended that the OIG interview the EPASS PM to better understand\n        the details of EPASS contract administration and management. This request has continually\n        been ignored and neither the original PM, nor the CO, have ever been interviewed.\n\n\n3. \t OIG Theme No. 3: Costs were more than expected and unanticipated; unnecessary\n     expenditures could have been avoided.\n\n   OARM\xe2\x80\x99s Comments: Due to the many uncertainties and unknowns that existed at the inception of\n   this project, total costs and time frames were underestimated. However, this does not support the\n   OIG\xe2\x80\x99s implication that funds were wasted or misused. The report\xe2\x80\x99s references to potential monetary\n   benefits, estimates of efficiencies, gross savings, and avoidance of unnecessary expenditures are\n   unsubstantiated and should be deleted.\n\n   \xe2\x80\xa2\t   The IG Report continues to imply that OARM overran costs on the contract, which is misleading\n        as is the potential cost savings based on this notion.\n\n   \xe2\x80\xa2\t   Any increase in costs was due to evolving, changing, and increasing program requirements\n        imposed by lead Federal agencies resulting in an expanded level of effort.\n\n   \xe2\x80\xa2\t   The follow-on contract was awarded March 19, 2008, and includes a base year and four one-year\n        option periods with a total contract ceiling amount of $9.6 million.\n\n   \xe2\x80\xa2\t   The best way to measure EPASS cost benefits is to evaluate project accomplishments against\n        total expenditures (i.e., OMB and internal EPA approvals of the HSPD 12 implementation plan;\n        meeting executive mandate to issue smartcards by October 26, 2006; implementing a federally\n        compliant physical access control system at Potomac Yard; and issuing almost 14,000\n        smartcards to EPA employees and non-Federal workers).\n\n   Ancillary Comments OIG Theme No. 3:\n   \xe2\x80\xa2\t There are no real cost overruns, savings to identify, or misspent monies; therefore, remove any\n      references to these unsubstantiated issues.\n\n   \xe2\x80\xa2\t   If the OIG really feels that there is legitimate cost savings to capture, then the way to do it is by\n        means of a bona fide cost benefit analysis.\n\n\n\n\n                                                      17 \n\n\x0c                                                                                              08-P-0271 \n\n\n\n4. \t OIG Theme No. 4: OARM has no formal procedures for reviewing and approving contract\n     invoices or addressing overpayments.\n\n    OARM\xe2\x80\x99s Comments: EPASS invoices are reviewed and paid following the guidelines set forth in\n    Chapter 11 of the Contracts Management Manual and Chapter 3 of the Recertification for\n    Contracting Officer Representative Manual. It was this review that led to SMD identifying the\n    contractor\xe2\x80\x99s overbilling after receipt of the invoice from the contractor.\n\n   \xe2\x80\xa2\t   Each month every invoice is reviewed by all TOPOs (IT, ID Proofing/ Registration, and PACS)\n        before final PM approval.\n\n   \xe2\x80\xa2\t   Currently, the $75,276 overpayment has been suspended by the CO and COTR. The \n\n        contactor\xe2\x80\x99s request for the funds has been denied by the CO. \n\n\n   Ancillary Comments OIG Theme No. 4:\n   \xe2\x80\xa2\t This theme implies SMD has no process for reviewing invoices. This is not true; review of\n      contractor invoices follow the guidelines set forth in Chapter 11 of the Contracts Management\n      Manual and Chapter 3 of the Recertification for Contracting Officer Representative Manual. Each\n      month every invoice is reviewed by all TOPOs (IT, ID Proofing/ Registration, and PACS) before\n      final PM approval.\n\n   \xe2\x80\xa2\t   The OIG report states that the EPASS project paid $75,276 in erroneously billed contractor labor\n        overcharges. What it fails to mention is this issue was raised by the EPASS PM prior to\n        approving the first invoice containing overcharges.\n\n   \xe2\x80\xa2\t   Subsequent invoices containing overcharges were also paid. At issue was the contractor\xe2\x80\x99s ability\n        to increase its rates whenever a contract option period was exercised early.\n\n   \xe2\x80\xa2\t   The EPASS PM was compelled to pay subsequent invoices pending the outcome of discussions\n        between the CO and contractor.\n\n   \xe2\x80\xa2\t   Once a formal CO decision was rendered, all overcharges were recovered.\n\n\n\n   Status of Recommendations and Potential Monetary Benefits\n\n   2-1 Develop a Technical Direction memorandum that specifies how the contracting firm must\n       implement system development processes compliant with EPA\xe2\x80\x99s SLCM. Technical Direction\n       memorandum should specify that no system development should begin until the company\n       defines, and EPA approves, the requirements for the system under development. The Technical\n       Direction memorandum should be approved by the EPASS Contracting Officer and issued to the\n       company awarded the new EPASS contract.\n       Status: Section C.2, Compliance with EPA Policies for Information Resources Management\n       (EPAAR 1552.211-79, Oct. 2000), part (b) (1) of the newly awarded EPASS contract requires the\n       contractor to comply with the 2100 Series (2100-2199) of the Agency\xe2\x80\x99s Directive System which\n       contains the requirements for SLCM compliance.\n       Planned Completion Date: Complete on contract award date, March 16, 2008.\n\n   2-2 Develop and implement a formal Change Management process that meets the requirements of\n       EPA\xe2\x80\x99s SLCM guidance.\n       Status: Section C.2, Compliance with EPA Policies for Information Resources Management\n       (EPAAR 1552.211-79, Oct. 2000), part (b) (1) of the newly awarded EPASS contract requires the\n       contractor to comply with the 2100 Series (2100-2199) of the Agency\xe2\x80\x99s Directive System which\n       contains the requirements for SLCM compliance.\n\n\n\n                                                   18 \n\n\x0c                                                                                         08-P-0271 \n\n\n\n    Planned Completion Date: Complete on contract award date, March 16, 2008.\n\n2-3 Assign a Project Manager who has the certification and the authority to oversee the EPASS\n    project as required by EPA\xe2\x80\x99s SLCM guidance.\n    Status: We already have a certified PM with authority to oversee the contractor\xe2\x80\x99s performance.\n    Planned Completion Date: Since inception of the original contract.\n\n2-4 Develop and document formal procedures for reviewing contractor invoices.\n    Status: EPASS invoices are reviewed and paid following the guidelines set forth in Chapter 11 of\n    the Contracts Management Manual and Chapter 3 of the Recertification for Contracting Officer\n    Representative Manual.\n    Planned Completion Date: Since inception of the original contract.\n\n2-5 Follow up with the Contracting Officer to ensure EPA collects from the contractor the amount EPA\n    overpaid for billing rate errors in the contractor\xe2\x80\x99s invoices.\n    Status: The cost associated with the overpayment of $75,276 was previously suspended by the\n    CO, so the Agency has already recovered the money. The EPASS CO has officially disapproved\n    the contractor\xe2\x80\x99s request for a refund of these funds.\n    Planned Completion Date: Complete on January 16, 2008.\n\n\n\n\n                                              19 \n\n\x0c                                                                                 08-P-0271\n\n\n                                                                             Appendix C\n\n                                   Distribution\n\nOffice of the Administrator\nAssistant Administrator for Administration and Resources Management\nDirector, Office of Administration, Office of Administration and Resources Management\nDirector, Security Management Division, Office of Administration and Resources Management\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nOffice of General Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nAudit Follow-up Coordinator, Office of Administration and Resources Management\nDeputy Inspector General\n\n\n\n\n                                            20 \n\n\x0c"